North Korean cybercriminals introduce Python-focused malware aimed at infiltrating cryptocurrency assets
In a recent cyber campaign, a new Python-based Remote Access Trojan (RAT) named PylangGhost has been deployed by the North Korean-aligned group Famous Chollima. This malware is specifically designed to target individuals with experience in cryptocurrency and blockchain technologies.
The attack begins with fraudulent job postings, often impersonating well-known crypto companies like Coinbase and Uniswap. Jobseekers are led to skill-testing websites built with the React framework. Upon completion, users are prompted to record a video by granting camera access.
The malicious command triggers the download of a ZIP archive containing Python modules and a Visual Basic script. The downloaded Visual Basic script unzips the archive and launches the Trojan using a disguised Python interpreter named nvidia.py.
PylangGhost is composed of six main modules, all developed in Python: nvidia.py, config.py, command.py, auto.py, api.py, and util.py. The nvidia.py module initializes the RAT, ensures persistence, and establishes communication with the command-and-control (C2) server. The config.py module defines configuration settings and accepted commands. The command.py module handles C2 commands like file transfers, OS shell access, and data exfiltration. The auto.py module specializes in stealing credentials and cookies from over 80 browser extensions. The util.py module is responsible for file compression tasks. The api.py module manages encrypted communication with the command-and-control (C2) server using RC4 encryption.
PylangGhost enables attackers to remotely control infected machines, upload or download files, and extract sensitive data, including credentials from services like Metamask, 1Password, and Phantom. Linux users are excluded from the current wave of activity, with most known victims so far being located in India. Researchers have found no evidence that Cisco users were affected.
There are striking similarities in the module structure and naming conventions between the Python and Golang versions of the RAT, suggesting a shared developer or close collaboration between authors of both variants. The North Korean hacker group Lazarus is believed to be behind the attack campaigns that led to the development and distribution of PylangGhost.
While the new Python variant is used against Windows users, the Golang-based RAT continues to be used against MacOS systems. These campaigns specifically target Windows users with the new Python variant, while the Golang-based RAT continues to be used against MacOS systems.
It's important to note that the overall impact remains limited based on open-source intelligence. However, with the increasing use of cryptocurrencies and blockchain technologies, it's crucial for users to remain vigilant and practice safe online habits to protect themselves from such threats.
Read also:
- Web3 social arcade extends Pixelverse's tap-to-earn feature beyond Telegram to Base and Farcaster platforms.
- Navigating the Path to Tech Product Success: Expert Insights from Delasport, a Trailblazer in the Tech Industry
- Online Cyber Assaults May Deter Web Usage Among Younger Generations
- Navigating English for Common Tech and Devices Daily Use
